From 5e1503f0bc365f529c162c783b94d2f1f2b393b2 Mon Sep 17 00:00:00 2001 From: plm Date: Mon, 16 Dec 2024 14:50:39 +0100 Subject: [PATCH] oc-auth k8s integration --- opencloud/Chart.yaml | 12 +++- opencloud/dev-values.yaml | 66 +++++++++++++++++-- opencloud/templates/oc-auth/deployment.yaml | 41 ++---------- .../templates/oc-auth/openCloudOauth2.yaml | 14 ++-- opencloud/templates/oc-auth/pem.yaml | 4 +- opencloud/templates/openCLoudConf.yaml | 25 +++++++ 6 files changed, 110 insertions(+), 52 deletions(-) create mode 100644 opencloud/templates/openCLoudConf.yaml diff --git a/opencloud/Chart.yaml b/opencloud/Chart.yaml index 236044c..142cfbf 100644 --- a/opencloud/Chart.yaml +++ b/opencloud/Chart.yaml @@ -5,7 +5,7 @@ type: application version: 0.0.1 appVersion: "0.0.1" -# TODO: ory hydra, keto +# TODO: grafana, loki dependencies: - name: openldap repository: https://jp-gouin.github.io/helm-openldap/ @@ -34,4 +34,12 @@ dependencies: - name: keto version: "0.50.2" repository: "https://k8s.ory.sh/helm/charts" - condition: keto.enabled \ No newline at end of file + condition: keto.enabled +- name: loki + version: "6.23.0" + repository: "https://grafana.github.io/helm-charts" + condition: loki.enabled +- name: grafana + version: "8.6.4" + repository: "https://grafana.github.io/helm-charts" + condition: grafana.enabled diff --git a/opencloud/dev-values.yaml b/opencloud/dev-values.yaml index 8d4eb11..bf5246b 100644 --- a/opencloud/dev-values.yaml +++ b/opencloud/dev-values.yaml @@ -22,10 +22,12 @@ mongodb: architecture: standalone useStatefulSet: false auth: + enabled: true rootUser: root rootPassword: rootpwd - usernames: [] - passwords: [] + databases: ["DC_myDC"] + usernames: ["opencloud"] + passwords: ["opencloud"] resourcesPreset: "small" replicaCount: 1 persistence: @@ -110,6 +112,13 @@ openldap: description: Records the last UID used to create a Posix account. This prevents the re-use of a UID from a deleted account. cn: lastUID + dn: cn=everybody,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: everybody + memberUid: admin + gidNumber: 2003 + 02-ldapadmin.ldif : |- dn: cn=ldapadmin,ou=groups,dc=example,dc=com objectClass: top @@ -133,6 +142,31 @@ openldap: loginShell: /bin/bash homeDirectory: /home/ldapadmin + 03-opencloudadmin.ldif : |- + dn: cn=admin,ou=groups,dc=example,dc=com + objectClass: top + objectClass: posixGroup + cn: admin + memberUid: admin + gidNumber: 2002 + + dn: uid=admin,ou=users,dc=example,dc=com + givenName: John + sn: Doe + uid: admin + mail: john.doe@example.com + cn: JohnDoe + objectClass: person + objectClass: inetOrgPerson + objectClass: posixAccount + userPassword:: e0NSWVBUfSQ2JDdTZ0daU1FXJGw1ZWRTTHVDaDV6a0NvUlllZzFLd3MwUHRKQ + jJQL09CQWdoc0RkbWhzTXJPcEpCbzR3b01yNWJQcjlubi8udWdzM25LcHlKQmt2eHVJWFM0eUQ1 + cnox + uidNumber: 2002 + gidNumber: 2002 + loginShell: /bin/bash + homeDirectory: /home/admin + # ldap user manager configuration ldapUserManager: enabled: true @@ -189,17 +223,31 @@ hydra: keto: enabled: true + keto: + config: + serve: + read: + port: 4466 + write: + port: 4467 + metrics: + port: 4468 + namespaces: + - id: 0 + name: open-cloud + dsn: memory ocAuth: - enabled: false - image: oc-auth:latest + enabled: true + image: oc/oc-auth:0.0.1 authType: hydra - hydra: + keto: adminRole: admin + hydra: openCloudOauth2ClientSecretName: oc-auth-got-secret ldap: bindDn: "cn=admin,dc=example,dc=com" - binPwd: "password" + binPwd: "admin@password" baseDn: "dc=example,dc=com" roleBaseDn: "ou=AppRoles,dc=example,dc=com" resources: @@ -209,3 +257,9 @@ ocAuth: requests: cpu: "128m" memory: "256Mi" + +loki: + enabled: false + +grafana: + enabled: false \ No newline at end of file diff --git a/opencloud/templates/oc-auth/deployment.yaml b/opencloud/templates/oc-auth/deployment.yaml index f9f4842..d3c722e 100644 --- a/opencloud/templates/oc-auth/deployment.yaml +++ b/opencloud/templates/oc-auth/deployment.yaml @@ -26,46 +26,17 @@ spec: containers: - image: "{{ .Values.ocAuth.image }}" name: oc-auth + command: ["tail", "-f", "/dev/null"] volumeMounts: - name: public-key-volume - mountPath: /keys/public + mountPath: /keys/public/public.pem subPath: public.pem - name: private-key-volume - mountPath: /keys/private + mountPath: /keys/private/private.pem subPath: private.pem - env: - - name: OCAUTH_ADMIN_ROLE - value: "{{ .Values.ocAuth.hydra }}" - - name: OCAUTH_PUBLIC_KEY_PATH - value: /keys/public/public.pem - - name: OCAUTH_PRIVATE_KEY_PATH - value: /keys/private/private.pem - - name: OCAUTH_CLIENT_SECRET - value: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" - - name: OCAUTH_AUTH - value: "{{ .Values.ocAuth.authType }}" - - name: OCAUTH_AUTH_CONNECTOR_HOST - value: "{{ .Release.Name }}.hydra-admin.{{ .Release.Namespace }}" - - name: OCAUTH_AUTH_CONNECTOR_PORT - value: 4444 - - name: OCAUTH_AUTH_CONNECTOR_ADMIN_PORT - value: 4445 - - name: OCAUTH_PERMISSION_CONNECTOR_HOST - value: "{{ .Release.Name }}.keto-write.{{ .Release.Namespace }}" - - name: OCAUTH_PERMISSION_CONNECTOR_PORT - value: 80 - - name: OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT - value: 80 - - name: OCAUTH_LDAP_ENDPOINTS - value: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389" - - name: OCAUTH_LDAP_BINDDN - value: "{{ index .Values.ocAuth.ldap.bindDn }}" - - name: OCAUTH_LDAP_BINDPW - value: "{{ index .Values.ocAuth.ldap.binPwd }}" - - name: OCAUTH_LDAP_BASEDN - value: "{{ index .Values.ocAuth.ldap.baseDn }}" - - name: OCAUTH_LDAP_ROLE_BASEDN - value: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" + envFrom: + - configMapRef: + name: opencloud-config ports: - name: http containerPort: 80 diff --git a/opencloud/templates/oc-auth/openCloudOauth2.yaml b/opencloud/templates/oc-auth/openCloudOauth2.yaml index 062d788..57dcb72 100644 --- a/opencloud/templates/oc-auth/openCloudOauth2.yaml +++ b/opencloud/templates/oc-auth/openCloudOauth2.yaml @@ -2,10 +2,8 @@ apiVersion: hydra.ory.sh/v1alpha1 kind: OAuth2Client metadata: - name: openCloudClient + name: open-cloud-client spec: - clientId: test-client - clientSecret: oc-auth-got-secret grantTypes: - implicit - refresh_token @@ -15,12 +13,14 @@ spec: - id_token - token - code + scope: openid profile email roles + secretName: oc-auth-got-secret redirectUris: - https://myapp.example.com/callback - scope: openid profile email roles - tokenEndpointAuthMethod: client_secret_post postLogoutRedirectUris: - -http://localhost:3000 + - http://localhost:3000 + tokenEndpointAuthMethod: client_secret_post allowedCorsOrigins: - http://localhost -{{- end }} \ No newline at end of file +{{- end }} + \ No newline at end of file diff --git a/opencloud/templates/oc-auth/pem.yaml b/opencloud/templates/oc-auth/pem.yaml index 3ab5cc0..33d0125 100644 --- a/opencloud/templates/oc-auth/pem.yaml +++ b/opencloud/templates/oc-auth/pem.yaml @@ -1,5 +1,5 @@ {{- if index .Values.ocAuth.enabled }} -# public-key-secret.yaml +# peer public key: public-key-secret.yaml apiVersion: v1 kind: Secret metadata: @@ -9,7 +9,7 @@ data: public.pem: | LS0tLS1CRUdJTiBSU0EgUFVCTElDIEtFWS0tLS0tCk1JSUNDZ0tDQWdFQXcycGRHNndNdHVMY1AwK2sxTEZ2SWIwRFFvL29IVzJ1TkphRUpLNzRwbFhxcDR6dHoyZFIKYitSUUhGTGVMdXFrNGkvemMzYjRLM2ZLUFhTbHduVlBKQ3d6UHJueVQ4allHT1pWbFdsRVRpVjl4ZUpodTZzLwpCaDZnMVBXejc1WGpqd1Y1MGl2L0NFaUxOQlQyM2YvM0o0NHdyUXp5Z3FOUUNpUVNBTGR4V0xBRWw0bDVrSFNhCjlvTXlWNzAvVXFsOTQvYXlNQVJac0hncDladnFRS2JrWlB3Nnl6Vk1mQ0J4UW96bE5sbzMxNU9IZXZ1ZGhuaHAKRFJqTjVJN3pXbXFZdDZyYlhKSkM3WTNJemR2em43UUk4OFJxalNSU1Q1SS83S3ozbmRDcXJPbkkrT1FVRTVOVApSRXlRZWJwaHZRZlREVEtsUlBYa2R5a3RkSzJESDI4Wmo2WkYzeWpRdk4zNVE0emhPemxxNzdkTzVJaGhvcEk3CmN0OGRaSDFUMW5Za3ZkeUNBL0VWTXRRc0FTbUJPaXRIMFkwQUNvWFFLNUtiNm5tL1RjTS85WlNKVU5pRU11eTUKZ0JaM1lLRTlvYTRjcFRwUFh3Y0ErUy9jVTdIUE5uUUFzdkQzaUppOEdUVzl1SnM4NHBuNC9XaHBRcW1YZDRydgpoS1dFQ0NOM2ZIeTAxZlVzL1UwUGFTajJqRFkva1FWZVhvaWtOTXpQVWpkWmQ5bTgxNlRJQmgzdjNhVlhDSC8wCmlUSEhBeGN0dkRnTVJiMmZwdlJKL3d3bllqRkc5UnBhbVZGRE12QzlOZmZ1WXpXQUE5SVJJWTRjcWdlcmZIclYKWjJISGlQVEREdkRBSXN2SW1YWmMvaDdtWE42bTNSQ1E0UXl3eTk5M3dkOWdVZGdnL3FueW5IY0NBd0VBQVE9PQotLS0tLUVORCBSU0EgUFVCTElDIEtFWS0tLS0tCg== --- -# private-key-secret.yaml +# peer private key: private-key-secret.yaml apiVersion: v1 kind: Secret metadata: diff --git a/opencloud/templates/openCLoudConf.yaml b/opencloud/templates/openCLoudConf.yaml new file mode 100644 index 0000000..3072d53 --- /dev/null +++ b/opencloud/templates/openCLoudConf.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: opencloud-config +data: + OCAUTH_ADMIN_ROLE: "{{ .Values.ocAuth.keto.adminRole }}" + OCAUTH_PUBLIC_KEY_PATH: "/keys/public/public.pem" + OCAUTH_PRIVATE_KEY_PATH: "/keys/private/private.pem" + OCAUTH_CLIENT_SECRET: "{{ .Values.ocAuth.hydra.openCloudOauth2ClientSecretName }}" + OCAUTH_AUTH: "{{ .Values.ocAuth.authType }}" + OCAUTH_AUTH_CONNECTOR_HOST: "{{ .Release.Name }}-hydra-admin.{{ .Release.Namespace }}" + OCAUTH_AUTH_CONNECTOR_PORT: "4444" + OCAUTH_AUTH_CONNECTOR_ADMIN_PORT: "4445" + OCAUTH_PERMISSION_CONNECTOR_HOST: "{{ .Release.Name }}-keto-write.{{ .Release.Namespace }}" + OCAUTH_PERMISSION_CONNECTOR_PORT: "80" + OCAUTH_PERMISSION_CONNECTOR_ADMIN_PORT: "80" + OCAUTH_LDAP_ENDPOINTS: "{{ .Release.Name }}-openldap.{{ .Release.Namespace }}.svc.cluster.local:389" + OCAUTH_LDAP_BINDDN: "{{ index .Values.ocAuth.ldap.bindDn }}" + OCAUTH_LDAP_BINDPW: "{{ index .Values.ocAuth.ldap.binPwd }}" + OCAUTH_LDAP_BASEDN: "{{ index .Values.ocAuth.ldap.baseDn }}" + OCAUTH_LDAP_ROLE_BASEDN: "{{ index .Values.ocAuth.ldap.roleBaseDn }}" + OCAUTH_MONGO_URL: "mongodb://{{ index .Values.mongodb.auth.usernames 0 }}:{{ index .Values.mongodb.auth.passwords 0 }}@{{ .Release.Name }}-mongodb.{{ .Release.Namespace }}:27017/{{ index .Values.mongodb.auth.databases 0 }}" + OCAUTH_MONGO_DATABASE: "{{ index .Values.mongodb.auth.databases 0 }}" + OCAUTH_NATS_URL: "nats://dev-nats.{{ .Release.Namespace }}.svc.cluster.local:4222" + OCAUTH_LOKI_URL: "{{ .Values.SERVER_PATH }}"